Results 1 to 10 of 10

Thread: [SOLVED] best setup scenario

  1. #1
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default [SOLVED] best setup scenario

    I am ready to setup the server to the outside. I can either supply the server with an outside static ip or port it thru the router, or put the server in the dmz. any suggestions or pros and cons to any of these solutions?
    thanks
    Bill B

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    The recommended set-up is to run a mail server in the DMZ to isolate it from your LAN just in case it gets compromised, however, I run my server inside the LAN with ports forwarded through the firewall to the server. IMO, it would depend which ports you have open to the outside world, for me it's just 25, 587, 443 & 993. Any need for secure access to the server is done via openvpn through the firewall.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default

    What is the advantage of running in the dmz over forwarding ports? I was leaning towards port forwarding but I havent setup a mail server in 4 years and back then I ran an exchange server. I am now trying to familiarize myself with everything again. Thanks for your help once again. Maybe I will get a few other replies and more recommendations....
    Bill

  4. #4
    SPF
    SPF is offline Active Member
    Join Date
    Oct 2006
    Posts
    27
    Rep Power
    8

    Default

    Generally, having a device on a DMZ rather than on the internal network will limit potential unauthorized access should someone gain control over it.

    The theory is that any potential mischief an intruder can cause will be limited to other hosts on the DMZ, and not your critical devices.

    In practice, this depends on alot of things, like what extent of access you allow from the DMZ to the LAN, and what types of firewalls and other protection you've employed.

    Rule of thumb is to only grant the access in or out of any network that is absolutely necessary. Give people/applications only the access to the ports/protocols they need, and deny everything else. This isn't always easy though.

  5. #5
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default

    thanks for the reply spf. all advice is greatly appreciated.
    Bill

  6. #6
    webman's Avatar
    webman is offline Special Member
    Join Date
    Oct 2007
    Location
    North East England
    Posts
    167
    Rep Power
    7

    Default

    Our Zimbra server is connected directly to the LAN, with only port 25 allowed through the 2 firewalls we have. External HTTP access is provided by an Nginx reverse proxy.

    During the day we have between 100-150 simultaneous web client sessions. Beause of this it makes sense to leave Zimbra on the LAN and not put unnecessary demand on the default router to get to the DMZ - this IPCop box already does routing, web filtering etc for all 300 workstations.

  7. #7
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default

    your setup is what I have been leaning towards. only allowing port 25 thru the router and leaving zimbra just on the lan. I will have between 25-30 users daily connecting to zimbra with web interface. How does your server handle that many ? any slowdowns? Our users right now use outlook, outlook express, and thunderbird. I will want them all using web to take advantage of the calander and IM features. presently they use resources for Im and for calander seperatly. My hope is to free up those resources on the pc so that they can use them to get their work done. They will start the day opening up outlook express, an IM program, a calander program and have net nanny running in the background. I hope to take care of most of that with zimbra on one server and squid-dansgaurdian on another..... just some of my thoughts..... see anything wrong with that scenario?
    thanks
    Bill B

  8. #8
    webman's Avatar
    webman is offline Special Member
    Join Date
    Oct 2007
    Location
    North East England
    Posts
    167
    Rep Power
    7

    Default

    The server is a Dell PowerEdge 2950 - dual quad-core Xeon (2.2GHz each), 8GB RAM, 2x 73GB SAS disks in RAID1 and Gigabit ethernet. Operating system is Ubuntu 6.06.2 LTS 64bit.

    Under normal use there's usually 2GB RAM free (pesky Java!), and as far as I've noticed (we're only into the third week of using Zimbra) the load average has never gone above 1. Swap isn't used either.

    I think your plan of two separate servers is a good idea and is in line with the official Zimbra recommendations of ZCS having a server to itself. What spec servers are you planning for your ZCS and Squid/DG setup?

  9. #9
    bbarrons is offline Special Member
    Join Date
    Jan 2008
    Location
    Michigan
    Posts
    174
    Rep Power
    7

    Default

    I picked up a rackable server. dual xeon 2.8 with 2 gig ram. I have 4 scsi drives 37gb ea. I used ubuntu 6.06 and setup 1+0 raid so I have about 68gb to work with for storage. I upgrade ubuntu to 7.10 and then to hardy (8.04) and saw no change in zimbra. The proxy server is a single xeon processor 2.8 with 1gb ram and a 60gb drive.
    I had felt that I needed to upgrade ram on the zimbra server but I havent put it into production yet so I wasnt sure. I felt that I needed to be around 4gig to run smooth.
    Bill

  10. #10
    webman's Avatar
    webman is offline Special Member
    Join Date
    Oct 2007
    Location
    North East England
    Posts
    167
    Rep Power
    7

    Default

    Sounds good. I'm not sure about the official compatability of any other version of Ubuntu than 6.06 though; but if it's working - that's good What do you have in place for backup? Depending on disk usage it could be a problem if you create a localy copy of the Zimbra directory during backup.

    This will eventually be a problem for us as time goes on; but will hopefully have some additional local disks and/or a SAN within the next 6 months.

    Yes, I would definitely throw another 2GB of RAM into the Zimbra server to take it up to 4GB - it should perform much better. (Many threads on the forum that can confirm bumping up the RAM makes it quicker)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Setup Yahoo business email account
    By muscles614 in forum General Questions
    Replies: 9
    Last Post: 11-20-2012, 03:10 PM
  2. RHCS setup
    By Klug in forum Installation
    Replies: 1
    Last Post: 05-29-2007, 12:59 AM
  3. zimbra email dns setup
    By robharpham in forum Installation
    Replies: 4
    Last Post: 05-13-2007, 06:25 PM
  4. GAL w/AD setup issue
    By The Fold in forum Administrators
    Replies: 3
    Last Post: 03-24-2007, 12:43 PM
  5. DNS server setup (bind)
    By scandog in forum Installation
    Replies: 1
    Last Post: 03-17-2006, 03:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •